Threat of the Week: China’s Professional Hackers

Ask longtime cybercrime expert Steve Santorelli, a spokesperson with researchers Team Cymru, about the many hacking expeditions targeting the US that appear to originate in China and the bottom line is: “This is very disturbing. We have never seen anything this sophisticated.”

Know this: Unlike many others in IT security, Santorelli avoids bold-faced headlines and scare tactics. A onetime London policeman, he is a just-the-facts kind of guy. When he tells you he is very concerned – be afraid, be very afraid.

The maddening characteristic of Chinese hacks: You may never know they were there because they typically steal nothing. But they copy a lot. Imagine you have a mid-sized business customer that is negotiating a deal with a Chinese entity. It’s becoming nearly a dead-on certainty, said numerous sources, that there will be surreptitious probes into the company’s financial accounts.

Think about the leverage that gives the other side in a negotiation.

Or think about copying account information for key U.S. legislators, or staffers, and hunting for details about where they spend money, on what, and are there obvious personal weaknesses?

“One critical point – it can’t be overstated – when something is missing you know it is missing. When data is stolen, you don’t necessarily know. The risks are what we don’t know,” said Joseph Steinberg, CEO of security firm Green Armour Solutions in Hackensack, N.J.

In a recent survey by global IT association ISACA, 93.6% of respondents said APTs – advanced persistent threats of the kind unleashed by China – pose a “serious threat.”

They are called APTs because the Chinese hackers try and try again. Thwart their entry once and tomorrow they are back with a new gambit and ditto for the day after. With high-value targets their patience is seemingly infinite.

Especially worrisome is that the ISACA survey found that 60+% of respondents said their organizations were prepared to deal with APTs – but the technologies they cited as having on hand are of little use against highly sophisticated attacks.

Anti-virus and firewalls, the tools commonly cited by respondents, are close to useless in fighting against the Chinese government hackers, a fact illustrated by the roster of recent APT victims, which includes the New York Times, Washington Post, U.S. Department of Energy, and most inside-the-Beltway think tanks. All had top-drawer anti-virus and firewalls of course. But they got penetrated nonetheless.

The question, said the Washington Post, isn’t who hasn’t been hacked – it’s whether the Chinese have the analytical tools to make sense of the huge volumes of data they collect every hour of the day.

The other question becomes, how prepared are credit unions to ward off APT? The answer - from multiple security sources – is that most have essentially no protections of value in place.

“They can penetrate pretty much anywhere,” said Ken Baylor, a vice president at security firm NSS Labs.

“Seeing the breadth and depth of the Chinese attacks I don’t think anyone is adequately defended against them,” said Ari Elias-Bachrach, a security consultant with Defensium in Silver Spring, Md., whose past work includes stints at very large credit unions. (He declined to discuss specifics of those institution’s defenses.)

Right now, the question raised by savvy credit union CIOs is, exactly what can we do to block these hacks? Some admit they now are detouring all traffic that originates in China but that won’t work longtime because hackers with these skills can spoof their point of origin, making it seem they are in your hometown if they wish.

So what should a credit union do? Security experts advocate that now is the time when a systematic rethink – that considers both APT and DDoS – has become critical for financial institutions.

Adding urgency, many security experts also are predicting that more attacks will shift to smaller FIs – read “credit unions” – precisely because the money center banks have taken large steps towards toughening their perimeters.

That doesn’t mean the attacks will stop. It means, said the experts, the attackers will shift their target to easier marks. And that could be very bad news indeed for credit unions.